Hi, Is anyone aware of an open-source solution (CLI or webGUI) that can restrict access to users based on their roles? For instance, I want to limit what role X can do to just list their own VMs and restart or shut it down. I''ve thought of implementing this by putting an access control module inside the Xend code which would interact with some sort of mapping between users, roles, and what they can do. Would it be a better idea to instead do this in libxenlight which is a layer down? (I want to enforce access control as close as possible to the hypervisor) -- Ozan _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 08/12/10 10:54, Ozan Safi wrote:> Hi, > Is anyone aware of an open-source solution (CLI or webGUI) that can > restrict access to users based on their roles? > For instance, I want to limit what role X can do to just list their > own VMs and restart or shut it down. > >If you are talking about a Xen hosting solution, then there are many solutions available, both free and paid for. A good paid for one is SolusVM. A good free one is from the guys at GPLHost _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi, I am looking for an open-source management solution that has support for access control. For some reason I wasn''t able to access the control panel demo site but I went through dtc-xen''s presentation and have not seen anything related to access control. Could you point me to a link where this is explained? Until now, I''ve only seen mention of such a feature on Eucalyptus Enterprise Edition. from http://www.eucalyptus.com/products/eee: "Sophisticated user, group, and role management allows precise control of resources within a private cloud" If it is not available in any free and open-source software, I am planning to implement it myself. Either by extending one of the management solutions or modifying the Xen code itself. -- Ozan On Wed, Dec 8, 2010 at 12:29 PM, Jonathan Tripathy <jonnyt@abpni.co.uk>wrote:> > On 08/12/10 10:54, Ozan Safi wrote: > >> Hi, >> Is anyone aware of an open-source solution (CLI or webGUI) that can >> restrict access to users based on their roles? >> For instance, I want to limit what role X can do to just list their own >> VMs and restart or shut it down. >> >> >> If you are talking about a Xen hosting solution, then there are many > solutions available, both free and paid for. A good paid for one is SolusVM. > A good free one is from the guys at GPLHost > > >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 08/12/10 13:21, Ozan Safi wrote:> Hi, > I am looking for an open-source management solution that has support > for access control. For some reason I wasn''t able to access the > control panel demo site but I went through dtc-xen''s presentation and > have not seen anything related to access control. Could you point me > to a link where this is explained?Please explain what you mean by "access control". To me, this means that you only want certain users to be able to control certain DomUs (i.e. a hosting solution). dtc-xen indeed does have access control on a per customers base. Just because something is tailored towards a hosting company doesn''t meant that it *has* to be used for hosting. (Replace the word "customer" with "staff member")> > Until now, I''ve only seen mention of such a feature on Eucalyptus > Enterprise Edition. > from http://www.eucalyptus.com/products/eee: "Sophisticated user, > group, and role management allows precise control of resources within > a private cloud"Indeed Eucalyptus supports this, but is very difficult to get going.> > If it is not available in any free and open-source software, I am > planning to implement it myself. Either by extending one of the > management solutions or modifying the Xen code itself.You shoudn''t (but legally can) modify the Xen code to support this. Xen is a Type 1 Hypervisor, which is out of scope for access control. Indeed, maybe modifying the xm scripts to do this may be an option, but again you run the risk of breaking something. This is why all solutions out there haven''t actually modified xm scripts, but have made an "over the top" layer for control....with the assumption that direct SSH access to the Dom0 isn''t available from the outside (which it shouldn''t be!)> > > >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Wed, Dec 8, 2010 at 2:29 PM, Jonathan Tripathy <jonnyt@abpni.co.uk>wrote:> > On 08/12/10 13:21, Ozan Safi wrote: > > Hi, > I am looking for an open-source management solution that has support for > access control. For some reason I wasn''t able to access the control panel > demo site but I went through dtc-xen''s presentation and have not seen > anything related to access control. Could you point me to a link where this > is explained? > > Please explain what you mean by "access control". To me, this means that > you only want certain users to be able to control certain DomUs (i.e. a > hosting solution). dtc-xen indeed does have access control on a per > customers base. Just because something is tailored towards a hosting company > doesn''t meant that it *has* to be used for hosting. (Replace the word > "customer" with "staff member") > > > I am afraid I am looking for something much more finer-grained than that.For the same domU, I need different users in different roles to be allowed to do different things to it. I also want to set constraints on them to further restrict what can be done with a specific action. (e.g. role A can do migration but for role A the action migrate is only allowed to hosts x,y, and z) I have more demands from the access control solution, but we can start from here. I also don''t expect any solution to have all of this, but if there is something to start with, I might consider extending that.> > Until now, I''ve only seen mention of such a feature on Eucalyptus > Enterprise Edition. > from http://www.eucalyptus.com/products/eee: "Sophisticated user, group, > and role management allows precise control of resources within a private > cloud" > > Indeed Eucalyptus supports this, but is very difficult to get going. > > > AFAICT, only the Enterprise Edition supports this, which is neither freenor open-source and I couldn''t test it because they didn''t hold on to their promise of "we will contact you in 24 hours".> > If it is not available in any free and open-source software, I am > planning to implement it myself. Either by extending one of the management > solutions or modifying the Xen code itself. > > You shoudn''t (but legally can) modify the Xen code to support this. Xen is > a Type 1 Hypervisor, which is out of scope for access control. Indeed, maybe > modifying the xm scripts to do this may be an option, but again you run the > risk of breaking something. This is why all solutions out there haven''t > actually modified xm scripts, but have made an "over the top" layer for > control....with the assumption that direct SSH access to the Dom0 isn''t > available from the outside (which it shouldn’t be!) >> Why would it be "out of scope for access control"? You can implementaccess control in any layer. Access control is best done where the actual action takes place. Otherwise there are plenty of opportunities to get around it. If neither Xend nor Xen-API is restricted on the actual hypervisor, a bug in the management platform would allow you to do whatever you want with it. I also don''t believe Xen is a Type-1 hypervisor, but that is irrelevant right now. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users